Our client uses cloud based storage for both intracompany file sharing and archiving purposes. Management began noticing that files were disappearing from archived folders. Suspecting that an employee was possibly stealing sensitive data, the company contacted Blackhawk to investigate.
At the heart of a computer forensics investigation is ‘process’. It’s absolutely critical that the forensic integrity of evidential data is preserved, otherwise it may prove inadmissible in legal proceedings.
We follow a universally recognised process to ensure the integrity of both the investigation and the data recovery procedure. Capture, Preservation, Extraction and Analysis. The final stage is the actual report and forensic evidence to our client.
Investigations and actions taken
Often, cloud based file sharing systems create file structures on the local machines attached to them. This is done so that data can be stored locally and worked on when that machine is off line, as is typical with mobile computing scenarios today. File sharing applications such as these also often offer the ability to simply drag and drop files, to and from the cloud based storage.
When the machine is again connected to the internet, the file sharing application begins ‘syncing’ the files structures, so that other team members can review updated files. While many of these systems are quite secure from inappropriate external activity, they are still susceptible to data theft from ‘privileged’ account members.
In this instance, the employee under suspicion was unaware that their employer was able to track file movements on their company provided laptop. Blackhawk discovered that the employee was also unaware that this particular cloud file sharing application physically removed files from the storage if they were dragged on to the employees desktop. The employee simply believed they were ‘copying’ files.
Using a combination of analytical forensic tools and the client’s own tracking software, Blackhawk was able to trace the file transfers and show that they were copied on to external media and then deleted.
Further Actions Taken
The client has since taken Blackhawk’s advise and implemented more direct and secure archival processes for sensitive data. These processes involve using strategies more aligned to disaster recovery, where sensitive data is automatically backed up on to redundant storage services which are only accessible to key security individuals.